[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108322484A - A kind of industrial control data ferry-boat system - Google Patents

A kind of industrial control data ferry-boat system Download PDF

Info

Publication number
CN108322484A
CN108322484A CN201810323236.7A CN201810323236A CN108322484A CN 108322484 A CN108322484 A CN 108322484A CN 201810323236 A CN201810323236 A CN 201810323236A CN 108322484 A CN108322484 A CN 108322484A
Authority
CN
China
Prior art keywords
data
protocol
data packet
industry control
application layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810323236.7A
Other languages
Chinese (zh)
Inventor
袁键
陈夏裕
施靖萱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Original Assignee
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd filed Critical Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority to CN201810323236.7A priority Critical patent/CN108322484A/en
Publication of CN108322484A publication Critical patent/CN108322484A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of industrial control data ferry-boat systems, are related to the technical field of industrial data ferry-boat safety, including:Terminal device, protocol filtering device, industry control isolation gap, the first industry control fire wall, the first interchanger and the first industry control encryption equipment;Protocol filtering device is connect with industry control isolation gap, for checking whether the application layer protocol that data packet uses is safe;Industry control isolation gap is connect with the first interchanger, is used for safety-oriented data transfer packet;First industry control fire wall is connect with the first interchanger, for check application layer that data packet uses and network layer protocol whether safety;First industry control encryption equipment is connect with the first industry control fire wall, for the application layer data in encryption data packet.The technical issues of to solve to be easy to carry virus or malicious act using information by attacker when industrial control data in the prior art is ferried, ensure that attacker can not get business datum by attack means such as sniff or go-betweens, data can not be distorted, ensure the integrality and confidentiality of data.

Description

A kind of industrial control data ferry-boat system
Technical field
The present invention relates to industrial data ferry-boat security technology areas, more particularly, to a kind of industrial control data ferry-boat system.
Background technology
Industrial control system has become the important component of national critical infrastructures, the safety of industrial control system It is related to the strategic security of country.Industry control network can be opened increasingly, and open band in order to improve production efficiency and benefit in future An important factor for safety problem come will be as two change fusions and 4.0 development of industry be restricted, industrial control system faces industry Control protocol lacks security consideration, is easy to carry virus or malicious act using information by attacker when industrial control data is ferried.
Invention content
In view of this, the purpose of the present invention is to provide a kind of industrial control data ferry-boat systems, to solve work in the prior art The technical issues of being easy to carry virus or malicious act using information by attacker when controlling data ferry-boat.
In a first aspect, an embodiment of the present invention provides a kind of industrial control data ferry-boat systems, including:Terminal device, agreement mistake Filter device, industry control isolation gap, the first industry control fire wall, the first interchanger, the first industry control encryption equipment and second switch;
The terminal device is connect with the protocol filtering device, and encapsulating the first application layer data using its supported protocol obtains To the first data packet, the first data packet is sent to the protocol filter;
The protocol filtering device is connect with the industry control isolation gap, and the first agreement is equipped in the protocol filtering device White list parses the first data packet application layer protocol, if the application layer protocol used is agreement in the first agreement white list, by institute It states the first data packet and is sent to industry control isolation gap;
The industry control isolation gap is connect with first interchanger, and the industry control isolation gap is used for safety-oriented data transfer Packet parses first data packet and obtains first application layer data, and first application layer data is exchanged using first The first application layer data obtains the second data packet described in the protocol encapsulation that machine is supported, and second data packet is sent to first Interchanger;
First interchanger sends second data packet to the first industry control fire wall;
The first industry control fire wall is connect with first interchanger, and the second association is equipped in the first industry control fire wall White list is discussed, the network layer protocol and application layer protocol of second data packet are parsed, if the network layer protocol used and application Layer protocol is agreement in second protocol white list, and second data packet is sent to the first industry control encryption equipment;
The first industry control encryption equipment is connect with the first industry control fire wall, described in the first industry control encryption equipment parsing Second data packet obtains first application layer data, encrypts to obtain first to first application layer data using Encryption Algorithm Encryption data encapsulates first encryption data using preset protocol and obtains third data packet, sent to the second switch The third data packet.
Wherein, the application layer protocol of the protocol filtering device parsing any data packet, if the application layer protocol used is not In the first agreement white list, by the data package capture.It can also be reached simultaneously by the method for creating agreement blacklist To the purpose of early warning and leakage detection, such as:When the agreement to be detected not be located at the agreement white list in, by the association to be detected In view deposit agreement blacklist.Judge whether the write-in number of each industry control agreement in the agreement blacklist is more than default threshold Value;If being more than predetermined threshold value there are the write-in number of any industry control agreement, protocol verification prompt is sent out, to prompt staff to test Demonstrate,prove the safety of the industry control agreement;When the security verification for receiving staff's input passes through operation, by the industry control Agreement is deleted from the agreement blacklist, and the agreement white list is written in the industry control agreement.Create agreement blacklist It can be used for sharing in agreement blacklist, to realize that prevent attacker in advance is encapsulated using the insecure protocol in agreement blacklist Data packet attack server, and a kind of threshold mechanism is designed, if being more than predetermined threshold value there are the write-in number of any industry control agreement, Protocol verification prompt is sent out, to prompt staff to verify the safety of the industry control agreement, preventing staff will assist There is the case where omitting safe agreement when discussing typing agreement white list.
With reference to first aspect, an embodiment of the present invention provides the first possible embodiments of first aspect, wherein institute State industrial control data ferry-boat system further include:Second industry control encryption equipment and the second industry control fire wall;
The second industry control encryption equipment is connect with the second industry control fire wall, described in the second industry control encryption equipment parsing Third data packet obtains first encryption data, decrypts to obtain the first application to first encryption data using decipherment algorithm Layer data encapsulates first application layer data using preset protocol and obtains the 4th data packet, and the 4th data packet is sent out Give the second industry control fire wall;
It is equipped with second protocol white list in the second industry control fire wall, parses the network layer protocol of the 4th data packet And application layer protocol, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, to described second Interchanger sends the 4th data packet.
Wherein, the characteristics of industry control fire wall is for current industrial control system, on the basis of traditional industry control firewall functionality specially Security protection product of the door for the research and development of the industry controls environment such as PLC, DCS, SCADA.Its industry control protocol depth Packet analyzing technology is not only Two layers, three-layer network agreement are parsed, the application layer of industry control network packet more can be further resolved to, can to OPC, The industry controls agreement such as Modbus, DNP3, IEC104, S7, Profinet carries out depth analysis, and application layer protocol is prevented to be tampered or break It is bad.
Wherein, industry control encryption equipment is increased functional safety layer on the basis of control system, is added by using message Close function and hash chain, while the multiple encryption algorithms such as state close SM4, AES, 3DES, CAST5 can also be supported to enhance industry control agreement Certification and encrypted transmission function, to make attacker that can not pretend, can not distort transmission instruction, without change bottom pass Defeated agreement, you can realize the transmission safety of system.Encryption equipment is used to protect the certification safety of end-to-end communication, protects the complete of data Whole property and confidentiality.Encryption equipment acquisition process data from application layer are encrypted process data by Encryption Algorithm, it is ensured that Business datum can not be got by attack means such as sniff or go-betweens, data can not be distorted, ensure data Integrality and confidentiality.
With reference to first aspect, an embodiment of the present invention provides second of possible embodiments of first aspect, wherein institute It states the second industry control fire wall to be additionally operable to receive the 5th data packet that the second switch is sent, parses the 5th data packet Network layer protocol and application layer protocol, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, The 5th data packet is sent to the second industry control encryption equipment.
With reference to first aspect, an embodiment of the present invention provides the third possible embodiments of first aspect, wherein institute It states the second industry control encryption equipment and is additionally operable to parse the 5th data packet and obtain second application layer data, utilize Encryption Algorithm pair Second application layer data is encrypted to obtain the second encryption data, and encapsulating second encryption data using preset protocol obtains the Six data packets, and the 6th data packet is sent to the first industry control encryption equipment.
With reference to first aspect, an embodiment of the present invention provides the 4th kind of possible embodiments of first aspect, wherein institute It states one encryption equipment of industry control and is additionally operable to parse the 6th data packet and obtain second application layer data, utilize decipherment algorithm pair Second encryption data decrypts to obtain the second application layer data, and encapsulating second application layer data using preset protocol obtains 7th data packet sends the 7th data packet to the first industry control fire wall.
With reference to first aspect, an embodiment of the present invention provides the 5th kind of possible embodiments of first aspect, wherein institute It states the first industry control fire wall to be additionally operable to parse the network layer protocol and application layer protocol of the 7th data packet, if the network used Layer protocol and application layer protocol are agreement in second protocol white list, and the 7th data packet is sent to first interchanger.
With reference to first aspect, an embodiment of the present invention provides the 6th kind of possible embodiments of first aspect, wherein institute It states industry control isolation gap and is additionally operable to parse the 7th data packet and obtain second application layer data, by second application layer Second application layer data described in the protocol encapsulation that data are supported using terminal device obtains the 8th data packet, and the described 8th is counted It is sent to protocol filter according to packet.
Wherein, the industry control isolation gap is to connect two using the solid-state switch read-write medium with various control function The information safety devices of unique host system.Between the two unique host systems connected by physics isolation net gap, do not deposit In the physical connection of communication, logical connection, information transmission command, information transmission protocol, there is no the packets according to agreement to turn Hair, the only no-protocol " ferry-boat " of data file, and there was only " reading " and " writing " two orders to solid storage medium.So object Reason isolation gap is physically isolated, has been blocked with all possible connections of potential attack, so that " hacker " can not be invaded, can not Attack can not destroy, and realize real safety.
With reference to first aspect, an embodiment of the present invention provides the 7th kind of possible embodiments of first aspect, wherein institute It states protocol filtering device and is additionally operable to the 8th data packet application layer protocol of parsing, if the application layer protocol used is first agreement 8th data packet is sent to terminal device by agreement in white list.
Second aspect, the embodiment of the present invention also provide a kind of industrial control data ferry-boat system, including:Terminal device, agreement mistake Filter device, industry control isolation gap, the first industry control fire wall, the first interchanger, the first industry control encryption equipment, second switch, second Industry control fire wall and the second industry control encryption equipment;
The terminal device is connect with the protocol filtering device, and encapsulating the first application layer data using its supported protocol obtains To the first data packet, the first data packet is sent to the protocol filter;And receive the 8th data packet;
The protocol filtering device is connect with the industry control isolation gap, and the first agreement is equipped in the protocol filtering device White list parses the first data packet application layer protocol, if the application layer protocol used is agreement in the first agreement white list, by institute It states the first data packet and is sent to industry control isolation gap;And the 8th data packet application layer protocol of parsing, if the application layer association used View is agreement in the first agreement white list, and the 8th data packet is sent to terminal device;
The industry control isolation gap is connect with first interchanger, and the industry control isolation gap is used for safety-oriented data transfer Packet parses first data packet and obtains first application layer data, and first application layer data is exchanged using first The first application layer data obtains the second data packet described in the protocol encapsulation that machine is supported, and second data packet is sent to first Interchanger;And parsing the 7th data packet obtains second application layer data, and second application layer data is utilized Second application layer data described in the protocol encapsulation that terminal device is supported obtains the 8th data packet, and the 8th data packet is sent To protocol filter;
First interchanger sends second data packet to the first industry control fire wall;And receive the 7th number The 7th data packet is sent according to packet, and to the industry control isolation gap;
The first industry control fire wall is connect with first interchanger, and the second association is equipped in the first industry control fire wall White list is discussed, the network layer protocol and application layer protocol of second data packet are parsed, if the network layer protocol used and application Layer protocol is agreement in second protocol white list, and second data packet is sent to the first industry control encryption equipment;And parsing The network layer protocol and application layer protocol of 7th data packet, if the network layer protocol and application layer protocol that use are the second association Agreement in white list is discussed, the 7th data packet is sent to first interchanger;
The first industry control encryption equipment is connect with the first industry control fire wall, described in the first industry control encryption equipment parsing Second data packet obtains first application layer data, encrypts to obtain first to first application layer data using Encryption Algorithm Encryption data encapsulates first encryption data using preset protocol and obtains third data packet, to the second industry control encryption equipment Send the third data packet;And parsing the 6th data packet obtains second application layer data, utilizes decipherment algorithm Second encryption data is decrypted to obtain the second application layer data, encapsulating second application layer data using preset protocol obtains To the 7th data packet, the 7th data packet is sent to the first industry control fire wall;
The second industry control encryption equipment is connect with the second industry control fire wall, described in the second industry control encryption equipment parsing Third data packet obtains first encryption data, decrypts to obtain the first application to first encryption data using decipherment algorithm Layer data encapsulates first application layer data using preset protocol and obtains the 4th data packet, and the 4th data packet is sent out Give the second industry control fire wall;And parsing the 5th data packet obtains second application layer data, utilizes encryption Algorithm is encrypted to obtain the second encryption data to second application layer data, and second encryption data is encapsulated using preset protocol The 6th data packet is obtained, and the 6th data packet is sent to the first industry control encryption equipment;
It is equipped with second protocol white list in the second industry control fire wall, parses the network layer protocol of the 4th data packet And application layer protocol, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, to described second Interchanger sends the 4th data packet;And the 5th data packet that the second switch is sent is received, parsing the described 5th The network layer protocol and application layer protocol of data packet, if the network layer protocol and application layer protocol that use are second protocol white list Middle agreement sends the 5th data packet to the second industry control encryption equipment.
The embodiment of the present invention brings following advantageous effect:The present invention is filled by the terminal device and the protocol filtering Connection is set, encapsulating the first application layer data using its supported protocol obtains the first data packet, and the is sent to the protocol filter One data packet;The protocol filtering device is connect with the industry control isolation gap, and the first association is equipped in the protocol filtering device White list is discussed, the first data packet application layer protocol is parsed, it, will if the application layer protocol used is agreement in the first agreement white list First data packet is sent to industry control isolation gap;The industry control isolation gap is connect with first interchanger, the work It controls isolation gap and is used for safety-oriented data transfer packet, parse first data packet and obtain first application layer data, it will be described First application layer data described in the protocol encapsulation that first application layer data is supported using the first interchanger obtains the second data packet, and Second data packet is sent to the first interchanger;First interchanger sends described the to the first industry control fire wall Two data packets;The first industry control fire wall is connect with first interchanger, and second is equipped in the first industry control fire wall Agreement white list parses the network layer protocol and application layer protocol of second data packet, if the network layer protocol used and answering It is agreement in second protocol white list with layer protocol, second data packet is sent to the first industry control encryption equipment;Described One industry control encryption equipment is connect with the first industry control fire wall, and the first industry control encryption equipment parses second data packet and obtains First application layer data encrypts first application layer data using Encryption Algorithm to obtain the first encryption data, utilizes Preset protocol encapsulates first encryption data and obtains third data packet, and the third data are sent to the second switch Packet.To solve to be easy to be carried the technology of virus or malicious act using information by attacker when industrial control data in the prior art is ferried Problem, it is ensured that attacker can not get business datum by attack means such as sniff or go-betweens, can not be usurped to data Change, has ensured the integrality and confidentiality of data.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification It obtains it is clear that understand through the implementation of the invention.The purpose of the present invention and other advantages are in specification, claims And specifically noted structure is realized and is obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate Appended attached drawing, is described in detail below.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in being described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of industrial control data ferry-boat system module schematic diagram provided in an embodiment of the present invention;
Fig. 2 is another industrial control data ferry-boat system module schematic diagram provided in an embodiment of the present invention;
Fig. 3 is protocol filtering device internal module schematic diagram provided in an embodiment of the present invention;
Fig. 4 is another industrial control data ferry-boat system module schematic diagram provided in an embodiment of the present invention.
Icon:1- terminal devices;2- protocol filtering devices;3- industry control isolation gaps;The first interchangers of 4-;The first industry controls of 5- Fire wall;6- the first industry control encryption equipments;7- the second industry control encryption equipments;8- the second industry control fire walls;9- second switch.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, shall fall within the protection scope of the present invention.
Industrial control system faces industrial control protocols shortage security consideration at present, is easy to be attacked when industrial control data is ferried The person of hitting utilizes information to carry virus or malicious act, is based on this, and the embodiment of the present invention provides a kind of industrial control data ferry-boat system, with The technical issues of solving to be easy to carry virus or malicious act using information by attacker when industrial control data in the prior art is ferried, Ensure that attacker can not get business datum by attack means such as sniff or go-betweens, data can not be distorted, is protected The integrality and confidentiality of data are hindered.
For ease of understanding the present embodiment, ferrying first to a kind of industrial control data disclosed in the embodiment of the present invention is System describes in detail.
Embodiment one:A kind of industrial control data ferry-boat system module schematic diagram as shown in Figure 1, an embodiment of the present invention provides A kind of industrial control data ferry-boat system includes:Terminal device 1, protocol filtering device 2, industry control isolation gap 3, the first industry control fire wall 5, the first interchanger 4, the first industry control encryption equipment 6 and second switch 9;
The terminal device 1 is connect with the protocol filtering device 2, and the first application layer data is encapsulated using its supported protocol The first data packet is obtained, the first data packet is sent to the protocol filter;
The protocol filtering device 2 is connect with the industry control isolation gap 3, and first is equipped in the protocol filtering device 2 Agreement white list parses the first data packet application layer protocol, if the application layer protocol used is agreement in the first agreement white list, First data packet is sent to industry control isolation gap 3;
The industry control isolation gap 3 is connect with first interchanger 4, and the industry control isolation gap 3 is used for safe transmission Data packet, parses first data packet and obtains first application layer data, and first application layer data is utilized first First application layer data described in the protocol encapsulation that interchanger 4 is supported obtains the second data packet, and second data packet is sent To the first interchanger 4;
First interchanger 4 sends second data packet to the first industry control fire wall 5;
The first industry control fire wall 5 is connect with first interchanger 4, and the is equipped in the first industry control fire wall 5 Two agreement white lists parse the network layer protocol and application layer protocol of second data packet, if the network layer protocol used and Application layer protocol is agreement in second protocol white list, and second data packet is sent to the first industry control encryption equipment 6;
The first industry control encryption equipment 6 is connect with the first industry control fire wall 5, and the first industry control encryption equipment 6 parses Second data packet obtains first application layer data, encrypts to obtain to first application layer data using Encryption Algorithm First encryption data encapsulates first encryption data using preset protocol and obtains third data packet, to the second switch 9 Send the third data packet.
Wherein, the protocol filtering device 2 parses the application layer protocol of any data packet, if the application layer protocol used is not In the first agreement white list, by the data package capture.It can also be reached simultaneously by the method for creating agreement blacklist To the purpose of early warning and leakage detection, such as:Protocol filtering device internal module schematic diagram as shown in Figure 3, when the association to be detected View is not located in the agreement white list, will be in the agreement deposit agreement blacklist to be detected.Judge the agreement blacklist In the write-in number of each industry control agreement whether be more than predetermined threshold value;If being more than default there are the write-in number of any industry control agreement Threshold value sends out protocol verification prompt, to prompt staff to verify the safety of the industry control agreement;Receiving staff When the security verification of input passes through operation, the industry control agreement is deleted from the agreement blacklist, and by the industry control The agreement white list is written in agreement.It creates agreement blacklist to can be used for sharing in agreement blacklist, be prevented in advance with realizing Attacker uses the insecure protocol encapsulated data packet attack server in agreement blacklist, and designs a kind of threshold mechanism, if It is more than predetermined threshold value there are the write-in number of any industry control agreement, sends out protocol verification prompt, prompts staff to verify institute The safety for stating industry control agreement, preventing staff will occur omitting safe agreement when agreement typing agreement white list The case where.
In another embodiment of the present invention, another industrial control data as shown in Figure 2 ferry-boat system module schematic diagram, institute State industrial control data ferry-boat system further include:Second industry control encryption equipment 7 and the second industry control fire wall 8;
The second industry control encryption equipment 7 is connect with the second industry control fire wall 8, and the second industry control encryption equipment 7 parses The third data packet obtains first encryption data, decrypts to obtain first to first encryption data using decipherment algorithm Application layer data encapsulates first application layer data using preset protocol and obtains the 4th data packet, and by the 4th data Packet is sent to the second industry control fire wall 8;
It is equipped with second protocol white list in the second industry control fire wall 8, parses the network layer association of the 4th data packet Negotiation application layer protocol, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, to described the Two interchangers 9 send the 4th data packet.
In embodiments of the present invention, the characteristics of industry control fire wall is for current industrial control system, in traditional industry control fire wall Specifically for the security protection product of the industry controls environment such as PLC, DCS, SCADA research and development on the basis of function.Its industry control protocol depth packet Analytic technique not only parses two layers, three-layer network agreement, more can further be resolved to the application layer of industry control network packet, can Depth analysis is carried out to the industry controls agreement such as OPC, Modbus, DNP3, IEC104, S7, Profinet, prevents application layer protocol from being usurped Change or destroys.
In embodiments of the present invention, industry control encryption equipment is increased functional safety layer on the basis of control system, is passed through Encryption function and hash chain are used to message, while can also support the multiple encryption algorithms such as state close SM4, AES, 3DES, CAST5 Certification and the encrypted transmission function for enhancing industry control agreement can not distort transmission instruction, nothing to make attacker that can not pretend Bottom transport protocol need to be changed, you can realize the transmission safety of system.Encryption equipment is used to protect the certification safety of end-to-end communication, Protect the integrality and confidentiality of data.Encryption equipment acquisition process data from application layer, by Encryption Algorithm to process data It is encrypted, it is ensured that business datum can not be got by attack means such as sniff or go-betweens, data can not be distorted, The integrality and confidentiality of data are ensured.
In another embodiment of the present invention, the second industry control fire wall 8 is additionally operable to receive the hair of the second switch 9 The 5th data packet sent parses the network layer protocol and application layer protocol of the 5th data packet, if the network layer protocol used It is agreement in second protocol white list with application layer protocol, the 5th data packet is sent to the second industry control encryption equipment 7.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In another embodiment of the present invention, the second industry control encryption equipment 7, which is additionally operable to parse the 5th data packet, to be obtained To second application layer data, second application layer data is encrypted using Encryption Algorithm to obtain the second encryption data, profit Second encryption data is encapsulated with preset protocol and obtains the 6th data packet, and the 6th data packet is sent to described first Industry control encryption equipment 6.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In another embodiment of the present invention, one encryption equipment of industry control, which is additionally operable to parse the 6th data packet, to be obtained Second application layer data decrypts second encryption data using decipherment algorithm to obtain the second application layer data, utilizes Preset protocol encapsulates second application layer data and obtains the 7th data packet, and described the is sent to the first industry control fire wall 5 Seven data packets.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In the another embodiment of invention, the first industry control fire wall 5 is additionally operable to parse the net of the 7th data packet Network layers agreement and application layer protocol, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, to First interchanger 4 sends the 7th data packet.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In the another embodiment of invention, the industry control isolation gap 3, which is additionally operable to parse the 7th data packet, obtains institute The second application layer data is stated, the second application described in the protocol encapsulation for utilizing terminal device 1 to support second application layer data Layer data obtains the 8th data packet, and the 8th data packet is sent to protocol filter.
In embodiments of the present invention, the industry control isolation gap 3 is read using the solid-state switch with various control function Write the information safety devices that medium connects two unique host systems.Two unique host connected by physics isolation net gap Between system, there is no the physical connection of communication, logical connection, information transmission command, information transmission protocols, and there is no according to association The packet of view forwards, only the no-protocol " ferry-boat " of data file, and there was only " reading " and " writing " two to solid storage medium Order.So physics isolation net gap is physically isolated, has been blocked with all possible connections of potential attack, make " hacker " It can not invade, can not attack, can not destroy, realize real safety.Those skilled in the art can be understood that It arrives, for convenience and simplicity of description, the specific work process of the system of foregoing description can refer in preceding method embodiment Corresponding process, details are not described herein.
In another embodiment of the present invention, the protocol filtering device 2 is additionally operable to the 8th data packet application layer of parsing association 8th data packet is sent to terminal and set by view if the application layer protocol used is agreement in the first agreement white list Standby 1.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
Embodiment two:Another industrial control data ferry-boat system module schematic diagram as shown in Figure 4, the embodiment of the present invention also carry For a kind of complete industrial control data ferry-boat system, a kind of industrial control data ferry-boat system provided with above-described embodiment is having the same Technical characteristic reaches identical technique effect so can also solve identical technical problem.A kind of industrial control data ferry-boat system, Including:Terminal device 1, protocol filtering device 2, industry control isolation gap 3, the first industry control fire wall 5, the first interchanger 4, the first work Control encryption equipment 6, second switch 9, the second industry control fire wall 8 and the second industry control encryption equipment 7;
The terminal device 1 is connect with the protocol filtering device 2, and the first application layer data is encapsulated using its supported protocol The first data packet is obtained, the first data packet is sent to the protocol filter;And receive the 8th data packet;
The protocol filtering device 2 is connect with the industry control isolation gap 3, and first is equipped in the protocol filtering device 2 Agreement white list parses the first data packet application layer protocol, if the application layer protocol used is agreement in the first agreement white list, First data packet is sent to industry control isolation gap 3;And the 8th data packet application layer protocol of parsing, if what is used answers It is agreement in the first agreement white list with layer protocol, the 8th data packet is sent to terminal device 1;
The industry control isolation gap 3 is connect with first interchanger 4, and the industry control isolation gap 3 is used for safe transmission Data packet, parses first data packet and obtains first application layer data, and first application layer data is utilized first First application layer data described in the protocol encapsulation that interchanger 4 is supported obtains the second data packet, and second data packet is sent To the first interchanger 4;And parsing the 7th data packet obtains second application layer data, by second application layer Second application layer data described in the protocol encapsulation that data are supported using terminal device 1 obtains the 8th data packet, and by the described 8th Data packet is sent to protocol filter;
First interchanger 4 sends second data packet to the first industry control fire wall 5;And receive the 7th Data packet, and send the 7th data packet to the industry control isolation gap 3;
The first industry control fire wall 5 is connect with first interchanger 4, and the is equipped in the first industry control fire wall 5 Two agreement white lists parse the network layer protocol and application layer protocol of second data packet, if the network layer protocol used and Application layer protocol is agreement in second protocol white list, and second data packet is sent to the first industry control encryption equipment 6;With And the network layer protocol and application layer protocol of parsing the 7th data packet, if the network layer protocol and application layer protocol that use For agreement in second protocol white list, the 7th data packet is sent to first interchanger 4;
The first industry control encryption equipment 6 is connect with the first industry control fire wall 5, and the first industry control encryption equipment 6 parses Second data packet obtains first application layer data, encrypts to obtain to first application layer data using Encryption Algorithm First encryption data encapsulates first encryption data using preset protocol and obtains third data packet, adds to second industry control Close machine 7 sends the third data packet;And parsing the 6th data packet obtains second application layer data, utilizes solution Close algorithm is decrypted to obtain the second application layer data to second encryption data, and second application layer is encapsulated using preset protocol Data obtain the 7th data packet, and the 7th data packet is sent to the first industry control fire wall 5;
The second industry control encryption equipment 7 is connect with the second industry control fire wall 8, and the second industry control encryption equipment 7 parses The third data packet obtains first encryption data, decrypts to obtain first to first encryption data using decipherment algorithm Application layer data encapsulates first application layer data using preset protocol and obtains the 4th data packet, and by the 4th data Packet is sent to the second industry control fire wall 8;And parsing the 5th data packet obtains second application layer data, profit Second application layer data is encrypted to obtain the second encryption data with Encryption Algorithm, is added using preset protocol encapsulation described second Ciphertext data obtains the 6th data packet, and the 6th data packet is sent to the first industry control encryption equipment 6;
It is equipped with second protocol white list in the second industry control fire wall 8, parses the network layer association of the 4th data packet Negotiation application layer protocol, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, to described the Two interchangers 9 send the 4th data packet;And the 5th data packet of the transmission of the second switch 9 is received, described in parsing The network layer protocol and application layer protocol of 5th data packet, if the network layer protocol and application layer protocol that use are that second protocol is white Agreement in list sends the 5th data packet to the second industry control encryption equipment 7.
The technique effect and preceding method embodiment phase of the system that the embodiment of the present invention is provided, realization principle and generation Together, to briefly describe, system embodiment part does not refer to place, can refer to corresponding contents in preceding method embodiment.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can Can also be electrical connection to be mechanical connection;It can be directly connected, can also indirectly connected through an intermediary, Ke Yishi Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.
Finally it should be noted that:Embodiment described above, only specific implementation mode of the invention, to illustrate the present invention Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, it will be understood by those of ordinary skill in the art that:Any one skilled in the art In the technical scope disclosed by the present invention, it can still modify to the technical solution recorded in previous embodiment or can be light It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover the protection in the present invention Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

  1. The system 1. a kind of industrial control data is ferried, which is characterized in that including:Terminal device, protocol filtering device, industry control separation net Lock, the first industry control fire wall, the first interchanger, the first industry control encryption equipment and second switch;
    The terminal device is connect with the protocol filtering device, and encapsulating the first application layer data using its supported protocol obtains the One data packet sends the first data packet to the protocol filter;
    The protocol filtering device is connect with the industry control isolation gap, and the white name of the first agreement is equipped in the protocol filtering device It is single, the first data packet application layer protocol is parsed, if the application layer protocol used is agreement in the first agreement white list, by described the One data packet is sent to industry control isolation gap;
    The industry control isolation gap is connect with first interchanger, and the industry control isolation gap is used for safety-oriented data transfer packet, It parses first data packet and obtains first application layer data, first application layer data is utilized into the first interchanger branch First application layer data described in the protocol encapsulation held obtains the second data packet, and second data packet is sent to the first exchange Machine;
    First interchanger sends second data packet to the first industry control fire wall;
    The first industry control fire wall is connect with first interchanger, and it is white that second protocol is equipped in the first industry control fire wall List, parses the network layer protocol and application layer protocol of second data packet, if network layer protocol and the application layer association used View is agreement in second protocol white list, and second data packet is sent to the first industry control encryption equipment;
    The first industry control encryption equipment is connect with the first industry control fire wall, the first industry control encryption equipment parsing described second Data packet obtains first application layer data, encrypts to obtain the first encryption to first application layer data using Encryption Algorithm Data encapsulate first encryption data using preset protocol and obtain third data packet, described in second switch transmission Third data packet.
  2. The system 2. industrial control data according to claim 1 is ferried, which is characterized in that further include:Second industry control encryption equipment and Second industry control fire wall;
    The second industry control encryption equipment is connect with the second industry control fire wall, and the second industry control encryption equipment parses the third Data packet obtains first encryption data, decrypts to obtain first using the number of plies to first encryption data using decipherment algorithm According to encapsulating first application layer data using preset protocol and obtain the 4th data packet, and the 4th data packet is sent to The second industry control fire wall;
    It is equipped with second protocol white list in the second industry control fire wall, parse the network layer protocol of the 4th data packet and answers It is exchanged to described second with layer protocol if the network layer protocol and application layer protocol that use are agreement in second protocol white list Machine sends the 4th data packet.
  3. The system 3. industrial control data according to claim 2 is ferried, which is characterized in that the second industry control fire wall is additionally operable to The 5th data packet that the second switch is sent is received, network layer protocol and the application layer association of the 5th data packet are parsed View, if the network layer protocol and application layer protocol that use are agreement in second protocol white list, to the second industry control encryption equipment Send the 5th data packet.
  4. The system 4. industrial control data according to claim 2 is ferried, which is characterized in that the second industry control encryption equipment is additionally operable to It parses the 5th data packet and obtains second application layer data, second application layer data is encrypted using Encryption Algorithm The second encryption data is obtained, encapsulating second encryption data using preset protocol obtains the 6th data packet, and by the described 6th Data packet is sent to the first industry control encryption equipment.
  5. The system 5. industrial control data according to claim 1 is ferried, which is characterized in that one encryption equipment of industry control is additionally operable to It parses the 6th data packet and obtains second application layer data, second encryption data is decrypted using decipherment algorithm To the second application layer data, encapsulates second application layer data using preset protocol and obtain the 7th data packet, to described first Industry control fire wall sends the 7th data packet.
  6. The system 6. industrial control data according to claim 1 is ferried, which is characterized in that the first industry control fire wall is additionally operable to The network layer protocol and application layer protocol of the 7th data packet are parsed, if the network layer protocol and application layer protocol that use are the Agreement in two agreement white lists sends the 7th data packet to first interchanger.
  7. The system 7. industrial control data according to claim 6 is ferried, which is characterized in that the industry control isolation gap is additionally operable to solve It analyses the 7th data packet and obtains second application layer data, second application layer data is supported using terminal device Second application layer data described in protocol encapsulation obtains the 8th data packet, and the 8th data packet is sent to protocol filter.
  8. The system 8. industrial control data according to claim 7 is ferried, which is characterized in that the protocol filtering device is additionally operable to solve The 8th data packet application layer protocol is analysed, if the application layer protocol used is agreement in the first agreement white list, by described the Eight data packets are sent to terminal device.
  9. The system 9. industrial control data according to claim 8 is ferried, which is characterized in that the protocol filtering device parsing is any The application layer protocol of data packet, if the application layer protocol used blocks the data packet not in the first agreement white list It cuts.
  10. The system 10. a kind of industrial control data is ferried, which is characterized in that include the industrial control data pendulum as described in claim 1-9 is any Cross system.
CN201810323236.7A 2018-04-11 2018-04-11 A kind of industrial control data ferry-boat system Pending CN108322484A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810323236.7A CN108322484A (en) 2018-04-11 2018-04-11 A kind of industrial control data ferry-boat system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810323236.7A CN108322484A (en) 2018-04-11 2018-04-11 A kind of industrial control data ferry-boat system

Publications (1)

Publication Number Publication Date
CN108322484A true CN108322484A (en) 2018-07-24

Family

ID=62898101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810323236.7A Pending CN108322484A (en) 2018-04-11 2018-04-11 A kind of industrial control data ferry-boat system

Country Status (1)

Country Link
CN (1) CN108322484A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617866A (en) * 2018-11-29 2019-04-12 英赛克科技(北京)有限公司 Industrial control system host session data filtering method and device
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN111585972A (en) * 2020-04-16 2020-08-25 网御安全技术(深圳)有限公司 Security protection method and device for gatekeeper and network system
CN112261032A (en) * 2020-10-19 2021-01-22 中国石油化工股份有限公司 Industrial internet network security protection method and system based on real-time data transmission
CN115102754A (en) * 2022-06-20 2022-09-23 中银金融科技有限公司 Data transmission method and system, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083607A (en) * 2006-05-30 2007-12-05 倪海生 Internet accessing server for inside and outside network isolation and its processing method
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106888221A (en) * 2017-04-15 2017-06-23 北京科罗菲特科技有限公司 A kind of Secure Information Tanslation Through Netware method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083607A (en) * 2006-05-30 2007-12-05 倪海生 Internet accessing server for inside and outside network isolation and its processing method
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106888221A (en) * 2017-04-15 2017-06-23 北京科罗菲特科技有限公司 A kind of Secure Information Tanslation Through Netware method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
龙根炳,刘丽萍: "《计算机网络技术及应用》", 北京理工大学出版社, pages: 153 - 154 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617866A (en) * 2018-11-29 2019-04-12 英赛克科技(北京)有限公司 Industrial control system host session data filtering method and device
CN109617866B (en) * 2018-11-29 2021-10-12 英赛克科技(北京)有限公司 Industrial control system host session data filtering method and device
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN111585972A (en) * 2020-04-16 2020-08-25 网御安全技术(深圳)有限公司 Security protection method and device for gatekeeper and network system
CN112261032A (en) * 2020-10-19 2021-01-22 中国石油化工股份有限公司 Industrial internet network security protection method and system based on real-time data transmission
CN112261032B (en) * 2020-10-19 2023-10-17 中国石油化工股份有限公司 Industrial Internet network safety protection method and system based on real-time data transmission
CN115102754A (en) * 2022-06-20 2022-09-23 中银金融科技有限公司 Data transmission method and system, storage medium and electronic equipment
CN115102754B (en) * 2022-06-20 2024-04-02 中银金融科技有限公司 Data transmission method and system, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US11134064B2 (en) Network guard unit for industrial embedded system and guard method
CN108322484A (en) A kind of industrial control data ferry-boat system
US8484486B2 (en) Integrated cryptographic security module for a network node
US8756411B2 (en) Application layer security proxy for automation and control system networks
US20080005558A1 (en) Methods and apparatuses for authentication and validation of computer-processable communications
CN110535653A (en) A kind of safe distribution terminal and its means of communication
US20080141023A1 (en) Chaining port scheme for network security
CN205670253U (en) A kind of trusted gateway system of industrial control system
CN116055254B (en) Safe and trusted gateway system, control method, medium, equipment and terminal
CN106603487B (en) Method for improving security of TLS protocol processing based on CPU space-time isolation mechanism
CN104486289A (en) Data one-way transmission method and system
Kabulov et al. Security Threats and Challenges in Iot Technologies
CN103441983A (en) Information protection method and device based on link layer discovery protocol
CN103209191A (en) Method for realizing physical partition of internal and external networks
CN103237036A (en) Device for realizing physical partition of internal and external networks
CN112073380A (en) Secure computer architecture based on double-processor KVM switching and password isolation
CN105516062A (en) L2TP over IPsec access realizing method
CN110266725A (en) Cryptosecurity isolation module and mobile office security system
CN104468519B (en) A kind of embedded electric power security protection terminal encryption device
Khosroshahi et al. Security technology by using firewall for smart grid
US20190327219A1 (en) Skeleton Network: Physical Corner Stone for The Towering Cyber House
CN114553577B (en) Network interaction system and method based on multi-host double-isolation secret architecture
CN117155568A (en) IPv6 message encryption and decryption method based on quantum key application mechanism
O'Guin et al. Application of virtual private networking technology to standards-based management protocols across heterogeneous firewall-protected networks
US11032250B2 (en) Protective apparatus and network cabling apparatus for the protected transmission of data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180724